The Management Swiftlet is the management facility of a SwiftMQ router and the server side component for the administration tools SwiftMQ Explorer and CLI.
A SwiftMQ router is managable from a SwiftMQ administration component if the component has a send grant on the queue "swiftmqmgmt" of the particular router, because this queue is the inbound queue of the Management Swiftlet to process management requests. Since authentication can be granted on any router in a SwiftMQ router network, everybody can administer a SwiftMQ router if his local router grants access to the management queue on a remote router.
This was a problem in the past and is solved in SwiftMQ 4.0.0. Starting with this release, the access to the Management Swiftlet can be password protected and administration tools have to perform an additional authentication step to get access to the protected router.
Protecting access is quite easy. One has to set the attribute "authentication-enabled" to "true" and has to specify a password via the attribute "password". The attribut "crfactory-class" doesn't need to be changed since it contains a valid challenge/response factory. This factory is used to handle the password exchange by challenge/response to avoid to send the password over the wire.
Example:
<swiftlet name="sys$mgmt" authentication-enabled="true" password="h7kyxZZu"/>
If a SwiftMQ Explorer connects to this router, it displays a red-lighted router symbol in the navigator frame which means that this router is protected:
By selecting this node and performing a right mouse click, a popup menu appears with one entry "Authenticate":
Now enter the password specified for the Management Swiftlet:
Thereafter the red-lighted router symbol disappears and a new green-lighted symbol is displayed and the router is managable:
With CLI (or the CLI Admin API) the command "authenticate" has to be used to authenticate access against a protected Management Swiftlet:
Example:
router1> authenticate h7kyxZZu
router1>_
All connected SwiftMQ administration tools are displayed within the "Usage" entity of the Management Swiftlet:
The name of an entry is just the reply queue name of the adminsitration tool because this name is unique. Each entry contains attributes such as connect time, hostname, etc.
It is possible to disconnect an administration tool simply by deleting the entry from the usage list:
The disconnected administration tool gets a notification and the router isn't managable anymore:
